A local overflow exists in BSD-derived libc libraries. The realpath() function fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

wu-ftpd implements a function derived from the libc realpath(), called fb_realpath(). A vulnerability was discovered in this function, and an advisory for wu-ftpd was released on July 31, 2003. The discovery of the wu-ftpd bug in fb_realpath() caused the BSD's to take a look at their libc implementations of realpath(), and they found that the error still exists in their implementations, and affected any program which called realpath(). While this vulnerability exists in separate implementations for wu-ftpd and the BSD libc, both inherit the vulnerability from the 4.4BSD codebase.

Each vendor maintains its own implementation of realpath(), and each has released a patch or upgrade to address the issue. Please refer to the specific vendor advisory for more information.

• Security Tracker: 1007380
• ISS X-Force ID: 12785
• CVE ID: 2003-0466 (see also: NVD)
• Related OSVDB ID: 2133
• SCIP VulDB ID: 218
• CERT VU: 743092
• Bugtraq ID: 8315
• Secunia Advisory ID: 9423 9446 9447 9535
• Vendor Specific Advisory URL: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpath.asc ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-011.txt.asc http://www.openbsd.org/errata33.html#realpath
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-08/0042.html
  http://marc.theaimsgroup.com/?l=bugtraq&m=106002488209129&w=2
• Vendor Specific Solution URL: http://docs.info.apple.com/article.html?artnum=120239
• Generic Exploit URL: http://downloads.securityfocus.com/vulnerabilities/exploits/lukemftp.pl
  http://www.securiteam.com/exploits/5LP0H15AUQ.html
• Other Advisory URL: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt

• Wojciech Purczynski - cliphisec.pl - isec.pl
• Janusz Niewiadomski - funkyshisec.pl - Isec